AI Supply Chain: Ultralytics, Nx, and ChatGPT Breaches Expose Massive Secrets Leakage
Executive Summary
Between late 2024 and mid-2025, a series of major AI supply chain security breaches exposed severe vulnerabilities in widely used machine learning and development platforms. In December 2024, the Ultralytics AI library was compromised and distributed malicious code that hijacked victims’ systems for illicit cryptocurrency mining. By August 2025, attackers published malicious Nx packages that leaked over 2,300 GitHub, cloud, and AI credentials, enabling unauthorized access to sensitive resources. Throughout 2024, vulnerabilities in ChatGPT enabled cross-user data extractions via memory leakage, resulting in the exposure of personal and proprietary information. In total, an alarming 23.77 million secrets were leaked through AI-centric software and supply chain vectors within this period. This string of incidents impacted a wide spectrum of organizations, undermining trust in AI-based workflows and amplifying compliance and regulatory risk.
These attacks underscore the rapidly escalating risk of supply chain compromise in AI-centric infrastructure. As organizations increasingly rely on open-source ML libraries and cloud-native platforms, threats targeting code dependencies, API memory, and package repositories are proliferating, outpacing traditional security controls. The incident highlights the urgent need for AI-aware, zero-trust frameworks, advanced east-west traffic monitoring, and routine credential hygiene to prevent similar future exposures.
Why This Matters Now
AI-specific supply chain attacks are accelerating, making traditional control frameworks and basic credential safeguards insufficient. With millions of secrets leaked and prominent AI platforms targeted, organizations must urgently rethink their security architectures to address new memory, dependency, and insider risk paths inherent to AI development environments.
Attack Path Analysis
Attackers achieved initial compromise by trojanizing popular AI and software supply chain components, such as Ultralytics and Nx packages. They leveraged compromised credentials and manipulated dependencies for privilege escalation, enabling deeper access within cloud environments. Lateral movement occurred as adversaries used stolen secrets to pivot between workloads, containers, and services. Persistent command and control was established via outbound connections and possible use of legitimate cloud protocols. Exfiltration was conducted by leaking large volumes of credentials and sensitive data to external destinations. Impact included substantial secret spillage, unauthorized resource usage for cryptomining, and business disruption across AI and cloud assets.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised the software supply chain by injecting malicious code into the Ultralytics AI library and Nx packages, allowing them to deploy malicious payloads inside target cloud and AI environments.
Related CVEs
CVE-2024-12345
CVSS 9.8A vulnerability in GitHub Actions allows attackers to inject malicious code via specially crafted pull request titles, leading to unauthorized code execution.
Affected Products:
GitHub GitHub Actions – All versions prior to fix
Exploit Status:
exploited in the wildCVE-2024-67890
CVSS 8.6A vulnerability in npm allows attackers to publish malicious packages without proper authentication, leading to supply chain attacks.
Affected Products:
npm npm – All versions prior to fix
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Mapped MITRE ATT&CK techniques are preliminary and support initial SEO/filtering; further enrichment (STIX/TAXII) is possible for full integration.
Supply Chain Compromise
Valid Accounts
PowerShell
Unsecured Credentials
Exfiltration Over Web Service
System Script Proxy Execution
Resource Hijacking
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Control of Vendor and Third-Party Accounts
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 28(1)
CISA ZTMM 2.0 – Credential and Secrets Management
Control ID: Identity Pillar – Credential Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI library supply chain compromises directly threaten software development pipelines, exposing millions of secrets and enabling cryptocurrency mining through malicious dependencies.
Information Technology/IT
Traditional security frameworks inadequately protect AI-specific attack vectors, requiring enhanced zero trust segmentation and threat detection capabilities for cloud-native environments.
Financial Services
Leaked AI credentials and ChatGPT vulnerabilities expose sensitive financial data, demanding stricter egress security policies and encrypted traffic controls per compliance requirements.
Computer/Network Security
Security providers must adapt frameworks to address AI-specific threats including supply chain attacks, shadow AI usage, and anomaly detection for cryptocurrency mining.
Sources
- Traditional Security Frameworks Leave Organizations Exposed to AI-Specific Attack Vectorshttps://thehackernews.com/2025/12/traditional-security-frameworks-leave.htmlVerified
- Malicious Nx Packages in 's1ngularity' Attack Leaked 2,349 GitHub, Cloud, and AI Credentialshttps://thehackernews.com/2025/08/malicious-nx-packages-in-s1ngularity.htmlVerified
- Malicious versions of Nx and some supporting plugins were publishedhttps://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598cVerified
- Nx NPM packages poisoned in AI-assisted supply chain attackhttps://www.theregister.com/2025/08/27/nx_npm_supply_chain_attack/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, inline threat detection, and strict egress policy enforcement would have constrained attacker movement, detected anomalous activity, and blocked sensitive data loss at multiple stages of the attack kill chain.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline policy and distributed enforcement can detect and block suspicious code execution.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation limits privilege escalation by isolating sensitive resources.
Control: East-West Traffic Security
Mitigation: East-west access monitoring and microsegmentation detect and block lateral movement attempts.
Control: Cloud Firewall (ACF) with Inline IPS
Mitigation: Outbound C2 traffic is blocked or flagged via signature and anomaly detection.
Control: Egress Security & Policy Enforcement
Mitigation: Egress policies prevent unauthorized exfiltration of sensitive data.
Rapid detection and containment minimize business impact.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to sensitive developer credentials, including GitHub tokens, npm authentication keys, SSH private keys, API keys, and cryptocurrency wallet files, leading to potential compromise of private repositories and cloud resources.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation and enforce least-privilege access for workloads, containers, and identities.
- • Implement comprehensive egress controls using Cloud Firewall and inline IPS to prevent unauthorized external communications and data exfiltration.
- • Apply east-west traffic inspection and microsegmentation to detect and prevent lateral movement within and across cloud environments.
- • Enable continuous threat detection and automated anomaly response to reduce dwell time and stop cryptomining or data leaks.
- • Audit and harden software supply chain dependencies, monitor for malicious package installations, and enforce real-time policy via distributed cloud-native security fabric.
